<?php

	// login and logout functions
	
	// login
	if(isset($_POST['login'])) {
	
		// connect to db
		require_once '../db/db.php';
		
		$error = false;
	
		// username
		if($_POST['username'] != '' && !empty($_POST['username'])) {
		
			// check for correct length, more than 6, less than 12
			if((strlen($_POST['username']) < 6) xor strlen($_POST['username']) > 12) {
			
				$message[] = '<p class="error">Username must be between 6 and 12 characters.</p>';
				$error = true;
				
			// remove invalid characters
			}elseif(!preg_match("/^[a-zA-Z0-9\-\_]*$/", $_POST['username'])) { 
				
				$message[] = '<p class="error">Usernames must contain only letters, numbers, hyphens(-) and underscores(_).</p>';
				$error = true;
							
			}else{
				 
				// validate username
				$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);
			
			}
		
		}else{
		
			$message[] = '<p class="error">Please provide a username.</p>';
			$error = true;
		
		}
		
		// validate password
		if($_POST['password'] != '' && !empty($_POST['password'])) {
		
			// sanitize password
			$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
					
		}else{
		
			$message[] = '<p class="error">Please enter a password.</p>';
			$error = true;
		
		}
		
		// check for correct username and password
		$sql = "SELECT username, password FROM users WHERE username = '" . $username . "' AND password = '" . md5($password) . "'";
		$user = $db->query($sql)->fetch();
		
		if(!$user) {
		
			$message[] = '<p class="error">Cannot find user account. Please check your username and password and try again.</p>';
			$error = true;
		
		}
		
		// check for account activation
		if($error == false) {
		
			$sql = "SELECT active FROM users where username = '" . $username . "' AND password = '" . md5($password) . "'";
			$check = $db->query($sql)->fetch();
			
			// must be 1 to be active
			if($check[0] == 1) {
			
				$active = true;
			
			}else{
			
				$message[] = '<p class="error">Please activate your account.</p>';
				$error = true;
			
			}
		
		}
				
		// create session
		if($error == false && $active == true) {
			
			// create session
			session_start();
			$_SESSION['atbat'] = md5($username);
			
			// if user chooses to be remembered...
			if($_POST['remember'] == 1) {
			
				// set cookie to remember session for 2 weeks
				setcookie('remember_atbat', md5($username), time() + 1209600, "/", "localhost");
			
			}
			
			// notify user of success
			$message[] = '<p class="success">Login Successful.</p>';
		
		}
		
		// response messages
		if(isset($message)) {
		
			foreach($message as $m) {
			
				print $m;
			
			}
		
		}
	
	}
	
	// logout
	if(isset($_REQUEST['logout'])) {
		
		// TODO:
		// destroy session
		session_start();
		$_SESSION = array();
		session_destroy();
		
		// clear cookies
		setcookie('remember_atbat', '', time() - 60);
		
		// move to index
		// local host
		header("Location: http://localhost/atbat/html/");
		// production
		// header("Location: http://atbat.smullinstudios.com");
	
	}

?>